SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume IX - Issue #17

February 27, 2007

Tomorrow (February 28) is the early registration deadline for SANS 2007 in San Diego. Fifty immersion training courses; a big expo, and all right on the ocean.
http://www.sans.org/sans2007/event.php

---

TOP OF THE NEWS

Cyber Crime on the Rise in Japan

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Judge Grants Restraining Order and Asset Freeze in SEC Fraud Action
Man Faces Prison for Uploading Movie to Internet
Guilty Plea in IRC Trojan Case
German Law Enforcement to Use Custom Malware.
COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT
WGA Anti-Piracy Tool Updated; Foreign Language Versions Rolled Out
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
First Remotely Exploitable Flaw Found In Microsoft Office 2007
Microsoft Looks into Reports of IE 7 and Vista Flaws
Firefox and SeaMonkey Updates Address Vulnerabilities
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Fruit of the Loom Addresses Breaches
Stolen Laptop Holds Worcestershire County Council Staff Data
Stolen Computers Hold Mystery Shoppers' Personal Data
Pharming Malware Web Sites Shuttered
MISCELLANEOUS
Text Strings in Malware Lash Out at ISC

---

*********************** Sponsored By ArcSight, Inc. *********************

Free Whitepaper: Addressing Insider Threats with ArcSight ESM

An attack from a malicious insider - someone trusted by your organization - can be just as devastating as a security breach from outsiders. But insider attacks are often more difficult to detect. Learn how to prevent the loss or exposure of your confidential information in our free whitepaper on Addressing Insider Threats.
http://www.sans.org/info/4076
*************************************************************************
Save more than $200 by registering by tomorrow for SANS 2007 in San Diego Mar 29-April 6: More than 50 immersion training courses on security and audit - taught by the world's best security instructors, plus a big expo all right on the ocean in San Diego. Why attend SANS? "I have attended courses by several of SANS rivals, and SANS blew them away." (Alton Thompson, US Marines).
http://www.sans.org/sans2007/event.php
*************************************************************************

---

TOP OF THE NEWS

Cyber Crime on the Rise in Japan (26 & 23 February 2007)

The rate of reported cyber crime in Japan jumped by 40 percent last year, according to figures from National Police Agency (NPA). The total number of cyber crimes investigated last year was 4,425, up from 3,161 in 2005. Seven-hundred and three of the cases involved illegal access using stolen credentials, nearly three times the number reported in 2005. The number of reported phishing attacks was 220, up from just one the previous year, and there were 197 reports of spyware last year, a six-fold increase over the figures for 2005.
-http://tech.monstersandcritics.com/news/printer_1269204.php
-http://www.americasnetwork.com/americasnetwork/article/articleDetail.jsp?id=4068
80
[Editor's Note (Grefer): The only thing the NPA can claim is that the number of cyber crime investigations rose by 40 percent. However, just like in other countries, this likely is just the tip of the iceberg. Most cyber crime continues to go unreported, given that it would have a severe negative impact on victimized companies, since their reputation would suffer. ]

---

*************************** Sponsored Links: **************************

1) Mobile Data Security Requires More than Just Encrypting Bits on Disks! Four technology requirements (whitepaper)
http://www.sans.org/info/4081

2) Stopping image-based spam - get the white paper from MX Logic. Click here!
http://www.sans.org/info/4086

3) Mobile Preparedness for Business Continuity. Are you prepared to turn office workers into mobile workers?
http://www.sans.org/info/4091
*************************************************************************

---

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Judge Grants Restraining Order and Asset Freeze in SEC Fraud Action (26 February 2007)

A US federal court has granted the Securities and Exchange Commission's (SEC) request for a temporary restraining order and asset freeze against Blue Bottle Limited and its owner and chief executive Matthew Charles Stokes. The SEC's complaint alleges that Stokes accessed computer systems without authorization, obtained corporate news releases before they were made public and used the information to make a US $2.7 million profit in online securities trading. The restraining order bars Stokes from "violating the anti-fraud provisions of federal securities law."
-http://news.zdnet.com/2102-1009_22-6162258.html
-http://www.forbes.com/feeds/ap/2007/02/26/ap3463914.html
-http://www.sec.gov/news/digest/2007/dig022607.txt
(The Blue Bottle case is the third item under the "Enforcement Proceedings" heading)

Man Faces Prison for Uploading Movie to Internet (23 February 2007)

Salvador Nunez Jr. is facing a felony charge of copyright infringement for uploading a copy of the film Flushed Away to the Internet. The charge carries a maximum sentence of three years. A digital watermark in the file identified its source as an Oscar screening copy. Nunez obtained the film from his sister, who received the advance copy because she is an Oscar voter.
-http://www.usatoday.com/tech/news/2007-02-23-flushed-felony_x.htm?csp=34
[Editor's Note (Ullrich): It's amazing how easy it is to get people fined/arrested for something simple like a copyright violation while law enforcement attention to botnets, intrusions and identity theft is limited to a few big cases. ]

Guilty Plea in IRC Trojan Case (23 & 22 February 2007)

Richard C. Honour has pleaded guilty to a charge of computer fraud for releasing a Trojan horse program over an IRC (Internet relay chat) channel. The one count of computer fraud carries a maximum penalty of five years in prison and a US $250,000 fine. The program, called WindowsMedia.exe, infected computers belonging to members of the DarkMyst IRC group; Honour sent messages to the IRC users containing a link he claimed led to a video. The malware opened a back door on infected computers. Evidence gathered from Honour's home indicated he had obtained information from compromised machines.
-http://www.theregister.co.uk/2007/02/22/trojan_plea/print.html
-http://www.vnunet.com/vnunet/news/2184082/hacker-takes-rap-trojan-horse

German Law Enforcement to Use Custom Malware. (27 February 2007)

German law enforcement agencies are pushing for a legal basis to be able to use malware and spyware in investigations. The malware will be used to "bug" suspect's computers. In addition to collecting information from the computer itself, cameras and microphones connected to these computers could be used to monitor conversations.
-http://www.theregister.com/2007/02/27/german_state_hackers/

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

WGA Anti-Piracy Tool Updated; Foreign Language Versions Rolled Out (22 February 2007)

Microsoft has updated its Windows Genuine Advantage Notifications software for Windows XP for English speakers. The company has also begun introducing the tool in 21 non-English speaking countries. The tool lets users know if the software they are running is legitimate. Among the foreign language versions are three for Chinese speakers, two for Portuguese speakers and one for Russian speakers; those countries have been identified as having "long-standing traditions of counterfeiting software." WGA Notifications is delivered via Automatic Update and is optional for Windows XP, but it is mandatory for Windows Vista.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxo
nomyName=security&articleId=9011674&taxonomyId=17&intsrc=kc_top
[Editor's Note (Schultz): All the new security features in Vista will do little good if numerous vulnerabilities such as the ones found recently continue to be found. Good code is far superior from a security perspective to new Vista security features such as Windows Defender and BitLocker encryption.]

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

First Remotely Exploitable Flaw Found In Microsoft Office 2007 (23 February 2007)

eEye informed Microsoft and the world that "a remotely exploitable flaw exists within Publisher 2007 that allows arbitrary code to be executed in the context of the logged in user." Office 2007 was one of the first products to go through Microsoft's SecuritY Development Lifecycle.
-http://www.networkworld.com/news/2007/022307-researchers-spot-first-remote-code.
html?fsrc=rss-security

Microsoft Looks into Reports of IE 7 and Vista Flaws (26 February 2007)

Microsoft is investigating reports of flaws in Internet Explorer 7 (IE 7) and Windows Vista that could be exploited to gain access to sensitive data. The IE 7 flaw lies in the way some "onUnload" events are handled and could be used in phishing scams. IE 6 is vulnerable to this flaw as well. The Windows Vista vulnerability exists in a component that fails to properly validate user permissions. The flaw also affects Windows XP, 2000 and Windows Server 2003. Internet Storm Center:
-http://isc.sans.org/diary.html?storyid=2310
-http://news.com.com/2102-1002_3-6162313.html?tag=st.util.print

Firefox and SeaMonkey Updates Address Vulnerabilities (26 & 23 February 2007)

Mozilla has released new versions of Firefox and SeaMonkey to address a number of vulnerabilities that could be exploited to circumvent security measures, launch cross-site scripting attacks, steal data or take control of vulnerable systems. The most significant flaw is a memory corruption vulnerability. Users are urged to upgrade to Firefox 2.0.0.2 or 1.5.0.10 and SeaMonkey 1.0.8. Users who cannot upgrade right away should disable JavaScript as a temporary workaround.
-http://www.theregister.co.uk/2007/02/26/firefox_update/print.html
-http://www.eweek.com/print_article2/0,1217,a=201809,00.asp
-http://www.mozilla.org/security/announce/2007/mfsa2007-08.html
[Editor's Note (Honan): Given the recent spate of Javacript vulnerabilities in browsers such as IE, Firefox etc. perhaps you should consider disabling Javascript as a permanent workaround. ]

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Fruit of the Loom Addresses Breaches (26 February 2007)

Personally identifiable data belonging to approximately 2,500 current and former Fruit of the Loom employees have been compromised. The data were accessible on the Internet from January 15 until February 20. The data included names and Social Security numbers (SSNs). The compromise also affects some people who worked for Rabun Apparel Inc., a former Fruit of the Loom subsidiary. The company will notify everyone potentially affected by the breach by overnight mail.
-http://www.thenortheastgeorgian.com/articles/2007/02/23/news/business/01business
.prt

Stolen Laptop Holds Worcestershire County Council Staff Data (26 & 23 February 2007)

A laptop computer stolen in a street robbery contains personally identifiable information of approximately 19,000 Worcestershire (UK) County Council staff. The data on the computer include names, addresses, and national insurance and bank account information. The computer was stolen two weeks ago, but affected individuals were notified only recently.
-http://www.worcesternews.co.uk/misc/print.php?artid=1216931
-http://news.bbc.co.uk/2/hi/uk_news/england/hereford/worcs/6396285.stm

Stolen Computers Hold Mystery Shoppers' Personal Data (22 February 2007)

Computers stolen from the Woodlands, Texas office of Speedmark, a company that employs mystery shoppers to evaluate employee conduct for their clients, contain personally identifiable information. The data include names, addresses, email accounts and SSNs of Speedmark mystery shoppers. Speedmark became aware of the theft on December 16, 2006, but affected employees did not learn of the breach until two months later. When a shopper asked someone at the company why there was such a lengthy delay between the discovery of the theft and notification, the person said the company had to restore the data from backups to determine who was affected and "contract with a vendor to produce and mail 35,000 letters." In addition, the company did not notify people by email saying they did not have specific permission to send formal notices through means other than the US Postal Service.
-http://www.consumeraffairs.com/printme.php?url=/news04/2007/02/speedmark.html

Pharming Malware Web Sites Shuttered (23 & 22 February 2007)

An attempt by attackers to trick online banking customers into disclosing their login information has been thwarted. The attack exploited a critical code execution vulnerability in the Microsoft Data Access Components (MDAC) function in Windows; Microsoft issued a patch for the flaw in April 2006. Targets were lured to specific sites seeded with malware. The malware, in turn, downloaded several other pieces of malicious software from a server in Russia. Once their machines were infected, users were directed to phony banking sites where they were asked for their login details. The login credentials were passed to the true site so the victims were unaware that an intermediary was stealing the information. The attack took a lot of work as it required the creation of at least 50 different fake banking web sites for institutions in the US, Europe and the Asia-Pacific region. The vulnerability could be exploited simply by getting someone to visit a website; there is no user interaction required. The web sites with the malicious code have been shut down.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9011653
-http://www.theregister.co.uk/2007/02/23/trojan_phishing_attack/print.html
-http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx
[Editor's Note (Grefer): A recursive download of any one web site (or even 50 of them) is not all that labor intensive, nor is the insertion of a bit of code. When done on this scale, it is likely that the perpetrator(s) spent a bit of though on how to automate the process. Alleging that all these sites have been shut down sounds a bit of hubris. ]

MISCELLANEOUS

Text Strings in Malware Lash Out at ISC (23 February 2007)

The SANS Internet Storm Center received a sample of malware code intended to update a network of infected computers that ISC has been monitoring. The code contained threatening text strings indicating the writers want ISC to stop dogging their efforts. Johannes Ullrich, ISC CTO, believes the perpetrator is someone recently reported to a DNS provider for using its server to send spam. The message carried a veiled threat that if ISC does not leave them alone, ISC's web site would be the target of an attack. Ullrich says the text strings indicate ISC is doing what they're supposed to be doing - thwarting the efforts of malware purveyors. ISC:
-http://isc.sans.org/diary.html?storyid=2295
-http://www.scmagazine.com/us/news/article/635361/sans-institute-ullrich-threaten
ed-zombie-spam-message/
-http://blog.washingtonpost.com/securityfix/2007/02/spammers_declare_war_on_antis
c.html?nav=rss_blog
[Editor's Note (Honan): I hope Johannes and the team have printed off this text and framed it as a glowing reference to the good work they are doing disrupting the operations cyber criminals. On a more serious note this event also highlights that those involved in thwarting cyber criminals should be aware that they could come under attack either electronically or indeed physically and should take appropriate steps to protect themselves. ]

---

=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.

Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/